[c-nsp] High memory usage of Cisco PIX 515e
Michael Loftis
mloftis at wgops.com
Thu Jun 2 12:55:27 EDT 2011
On Thu, Jun 2, 2011 at 12:59 AM, teklay gebremichael
<teklish76 at yahoo.com> wrote:
> hello,
> I am observing increased memory usage of my Cisco PIX firewall. I tried even to
<...>
> pix# sh conn count
> 9597 in use, 22745 most used
> pix# sh xlate count
> 14101 in use, 26759 most used
I don't think that there is any problem, you've got 10k+ connections
and the box has 64MB of memory, it's a very lowest level (EOS/EOL?)
PIX. The 515 w/ 128MB was (very very optimistically) rated at 130k
connections. Those numbers are usually quoted on a very minimal
configuration, no VPNs (which the bigger 128MB variant can still only
hold open 2k), nothing more than basic stateful firewalling really.
And the difference between 64 and 128 is a lot, since I'm guessing the
base OS uses anywhere from a minimum of about 30MB up, before you get
a single connection setup.
If that many connections seems high for your network then check your
network for peer to peer apps, like skype, torrent servers, bitcoin,
etc. They all use a pretty high number of connections. Or look for
other types of non-conforming traffic -- You could also try tweaking
the timeout settings to get the device to expire idle sessions more
aggressively. Ten minutes on a half-closed connection is quite a
while, and depending on your usage pattern an hour for a connected
session without traffic may be high too. Cisco's defaults are pretty
conservative in those areas.
More information about the cisco-nsp
mailing list